[UNPATCHED] Major Apple security flaw grants admin access on macOS High Sierra without password

[79wjd]

1 minute ago, DrMacintosh said:

Yes you did. By saying you should include it win 10.13.1 that means everyone already on 10.13.1 would see an update for their machines. 

 

The solution was what Apple did. 

 

Give the update to everyone on 10.13.0 and 10.13.1. If they update to 10.13.1 after getting the patch send them the update again. 

 

2 minutes ago, djdwosk97 said:

No. What happened is they pushed the patch out to all users. If you're on 10.13.1, then you're patched and good. If you were on 10.13.0 and patched then you were good until you chose to upgrade to 10.13.1, then you're vulnerable again. There is no reason why the patch shouldn't have also been bundled to the 10.13.1 update.

I'm done arguing with stupid for the day. You can keep bothering @Sauron. (sorry @Sauron)

[ItsMitch]

my alerts, too many alerts and im so confused by whats happened in this thread

[DrMacintosh]

1 minute ago, djdwosk97 said:

 

I'm done arguing with stupid for the day. You can keep bothering @Sauron. (sorry @Sauron)

You are also completely forgetting that speed was of the essence here. 

 

Pulling the 10.13.1 update and then rebuilding it would have taken longer than just pushing out the patch which was the main goal and that goal was achieved no matter how you think it should have been done. 

 

If you can't see that, well then that is on you. 

[vanished]

14 minutes ago, DrMacintosh said:

It really is. 

 

OS version X is not patched--> becomes patches--> updates to a version that was out before this issue was found--> OS is no longer patched. 

 

It's easy really. 

Wow really?  This is just a straight up mistake on Apple's part.  If you can't admit that... idek

[79wjd]

2 minutes ago, SC2Mitch said:

my alerts, too many alerts and im so confused by whats happened in this thread

I offended Apple. That's about it. 

2 minutes ago, DrMacintosh said:

You are also completely forgetting that speed was of the essence here. 

 

Pulling the 10.13.1 update and then rebuilding it would have taken longer than just pushing out the patch which was the main goal and that goal was achieved no matter how you think it should have been done. 

 

If you can't see that well then that is on you. 

They didn't need to rebuild the update, just append the patch onto the update as part of the update bundle. Anyway, like I said, I'm done with you. This will be my last response. 

[DrMacintosh]

5 minutes ago, SC2Mitch said:

my alerts, too many alerts and im so confused by whats happened in this thread

Timeline: 

 

Security hole found in MacOS High Sierra 10.13.X--> Apple patches this with security update 2017-001--> Thread is edited to now be about a new story where if you were on 10.13.0 and updated to 10.13.1 the patch would go away and you would have to reinstall 2017-001--> argument about how best to deploy 2017-001 occurs between @djdwosk97 and @DrMacintosh

 

Really a new thread should have been created. 

[Sauron]

15 minutes ago, DrMacintosh said:

Or just send one patch for everyone. 

 

Those on 10.13.1 just need to install the patch rather than the whole OS version again and those on 10.13.0 need to update to 10.13.1 then install the patch. 

 

Sounds easy to me. 

Do you realize we're talking about unrestricted root access without a password? This is almost criminal negligence. Expecting the user to repatch is the same as asking them to just set a root password.

[DrMacintosh]

Just now, Sauron said:

Expecting the user to repatch is the same as asking them to just set a root password.

It was patched for all those affected, that is all that matters. 

[divito]

The fact the patch was/is allowed to be applied before forcing the user on 10.13.0 to update to 10.13.1 and then apply the patch is a little ridiculous. Speed and everything is one thing, ignorance to user safety is another.

[79wjd]

9 minutes ago, divito said:

The fact the patch was/is allowed to be applied before forcing the user on 10.13.0 to update to 10.13.1 and then apply the patch is a little ridiculous. Speed and everything is one thing, ignorance to user safety is another.

You shouldn't be forced to update to 10.13.1 to get the patch, the patch should be available for any revision of High Sierra, but should also be bundled with any OS update.

[divito]

1 hour ago, djdwosk97 said:

You shouldn't be forced to update to 10.13.1 to get the patch, the patch should be available for any revision of High Sierra, but should also be bundled with any OS update.

I more so meant, depending on the technical specifics, that you end up with a patched version at the end of everything. Patching 10.13.0 and then the subsequent 10.13.1 update removing that very patch is a significant oversight in the name of patch speed. Whether that's a nature of the patch itself, or how they package their updates, it's not as it should be. 

[79wjd]

7 minutes ago, divito said:

I more so meant, depending on the technical specifics, that you end up with a patched version at the end of everything. Patching 10.13.0 and then the subsequent 10.13.1 update removing that very patch is a significant oversight in the name of patch speed. Whether that's a nature of the patch itself, or how they package their updates, it's not as it should be. 

I can accept the 10.13.1 update not having the patch built in (yet), but the patch should have been bundled with the 10.13.1 update, and yes, this was a big oversight.

[vorticalbox]

On 28/11/2017 at 9:32 PM, ARikozuM said:

I'm saying that she wouldn't listen to me even though I'm licensed and board-certified. 

 

#MothersKnowBest

 

[suicidalfranco]

Glad i'm not alone

 

only difference between him and me is that i've had this issues since Yosemite

[Sauron]

19 hours ago, DrMacintosh said:

It was patched for all those affected, that is all that matters. 

No, because if they update to 13.1 the patch is undone and no warning is given, making anyone who does that automatically affected and without patch... since, unlike other systems, you aren't forced to update to anything, the least they can do is make sure that if and when you decide to update this massive security hole isn't there anymore, or is automatically patched by the updater.

 

Honestly I don't see how you can defend this, it's not like there are any positive sides here... there was a massive and unexcusable security flaw in a commercial system, which was bad enough by itself considering how much they charge for a mac with the excuse that the software is "better", and when they patched it they couldn't even bother to make sure nobody could accidentally revert the change. Say what you will about windows update, but this sort of stuff doesn't happen there.

[D13H4RD]

You know, this is why I really feel that yearly major OS updates need to either stop being a thing or release timelines slowed down.

 

It's pretty clear that this was a big oversight on the part of Apple's macOS development team, so obviously, when they heard of this, they had to patch it as soon as possible. At this stage, it's almost par for the course.

 

What's not normal is when said patch breaks file transfer and the subsequent update to fix it also ended up re-opening the security hole. That, to me, is the very definition of an update made without adequate testing.

 

There was a time where if you got an Apple device, it undeniably just worked. There wasn't all that much you could do on it compared to, say, a Windows machine or an Android phone, but whatever was on your Mac or iPhone just plain worked with little frustration. Now, though, I honestly feel like "It just works" is now "We swear, it will just work this time". Between this and the whole December 2nd iOS 11.1.2 bug causing iOS devices to crash resulting in Apple quickly releasing iOS 11.2 while it was still being beta-tested as a public release in order to fix it, I really feel Apple's software QC has slipped on more than a couple of banana peels lately, and honestly, so has Microsoft with Windows 10 (based on some experiences).

[79wjd]

4 minutes ago, D13H4RD2L1V3 said:

What's not normal is when said patch breaks file transfer and the subsequent update to fix it also ended up re-opening the security hole. That, to me, is the very definition of an update made without adequate testing.

The 10.13.1 update existed before the root bug or the patch for it was known/released (since October 31st). 10.13.1 undoing the patch is simply a case of Apple not bundling the patch into the 10.13.1 updater yet -- which is still a big oversight, but not as bad as pushing out the patch and then releasing an update without the patch. 

[D13H4RD]

Just now, djdwosk97 said:

The 10.13.1 update existed before the root bug or the patch for it was known/released. 10.13.1 undoing the patch is simply a case of Apple not bundling the patch into the 10.13.1 updater yet -- which is still a big oversight, but not as bad as pushing out the patch and then releasing an update without the patch. 

Not as bad, but it's still a blunder that I wouldn't have expected Apple of all companies to make.

[DrMacintosh]

2 hours ago, Sauron said:

No, because if they update to 13.1 the patch is undone

And then macOS tells you again that security update 2017-001 is available.......

[DrMacintosh]

2 hours ago, Sauron said:

Say what you will about windows update, but this sort of stuff doesn't happen there.

And yeah sure, this specific issue might not happen but instead whole machines are bricked, programs stop working, or entire lines of CPUs become open to massive exploits that can’t be solved with a simple firmware update......

 

And you do know MS fired their testing teams right? 

[DrMacintosh]

2 hours ago, D13H4RD2L1V3 said:

Apple quickly releasing iOS 11.2 while it was still being beta-tested as a public release

Just a little correction on that, iOS 11.2 was on Beta 6 and was largely regarded as the GM version of that release meaning Apple was already set to release it to the public on Monday but because of the 11.1.2 bug affecting some amount of users they pushed it to Friday. 

[Sauron]

1 minute ago, DrMacintosh said:

And then macOS tells you again that security update 2017-001 is available.......

It should install automatically and immediately. It also doesn't tell you you need to reboot for it to work this time. If you're among those who didn't install 13.1 immediately, chances are you won't instantly install every update that pops up if it doesn't explicitly inform you of the risk you run if you don't.

2 minutes ago, DrMacintosh said:

And yeah sure, this specific issue might not happen but instead whole machines are bricked, programs stop working, or entire lines of CPUs become open to massive exploits that can’t be solved with a simple firmware update......

 

And you do know MS fired their testing teams right? 

I'd honestly rather have a bricked machine (and by the way, a broken windows installation is not a brick... you just need to reinstall windows. Not ideal, but it doesn't render the hardware useless.) than giving out root access to anyone who wants it. CPU firmware exploits are not caused by windows... and they are present on macs as well.

 

What does their firing of their testing team have to do with this? Does it matter if Apple's team can't even find a bug as ridiculous as this one? Perhaps the wrong team got fired here.

[DrMacintosh]

1 minute ago, Sauron said:

If you're among those who didn't install 13.1 immediately, chances are you won't instantly install every update that pops up if it doesn't explicitly inform you of the risk you run if you don't.

Thats a risk you take in using an operating system that gives you a choice. 

[vanished]

17 minutes ago, DrMacintosh said:

Thats a risk you take in using an operating system that gives you a choice. 

It doesn't take a top level computer scientist to realize that no update should undo the patch of a previous one, ever.  There is no excuse for that, it's just a lazy mistake.

[Sauron]

4 minutes ago, DrMacintosh said:

Thats a risk you take in using an operating system that gives you a choice. 

No, it's not - not when you pay a large premium for it. There also is no choice involved here, nobody chooses to leave the root account open when it claims to be disabled. This is pure laziness if not incompetence on Apple's part, and the more I argue with you the less I can blame them... why care when some of their customers will just defend every mistake they commit to their death? Why test the system properly when you can just release it and patch it later when bugs are found and nobody will hold them accountable? There was a time when things like this were unheard of on Apple systems.

 

But sure, keep on defending them - eventually the system will barely even function on launch and you'll just take it and hope for quick patches. Oh wait, iOS 8 did that... but hey, it got patched, right...?

GNU/Linux distributions also give you a choice, but you can bet that critically flawed packages are no longer hosted on any repository as soon as the patched version comes out - and those are completely free and open source, so Apple really has no excuse to be worse in any way.

 

As bad as this is, it doesn't mean you suddenly have to hate Apple or any of their products, but refusing to admit it is a big problem is doing a disservice to anyone who enjoys them; it just makes it easier for them to get away with it and care increasingly less every time. No system or company is perfect, but refusing to give negative feedback when it's called for inevitably makes them worse.